Security researchers have uncovered a backdoor used in attacks against governments and organizations in the Association of Southeast Asian Nations (ASEAN).
Dubbed “BLOODALCHEMY” by researchers at Elastic Security Labs, the backdoor targets x86 systems and is part of the REF5961 intrusion set recently adopted by a group with links to China.
An intrusion set is a term that groups together known tactics, techniques, and tools associated with an attack and the campaigns those attacks are contributing to. Usually, these intrusion sets are adopted by a single unknown attacker, and the tooling of REF5961 has been observed in a separate espionage-focused attack on the Mongolian government.
BLOODALCHEMY is the new backdoor that’s been used by the operators of REF5961, but even though skilled malware developers are believed to have worked on the program, it’s still thought to be a work in progress.
Although it’s a functional malware strain, part of the three new malware families uncovered through analyzing REF5961, its capabilities are still limited.
“While unconfirmed, the presence of so few effective commands indicates that the malware may be a subfeature of a larger intrusion set or malware package, still in development, or an extremely focused piece of malware for a specific tactical usage,” said Elastic in a blog.
Researchers were only able to spot a handful of impactful commands, which included the ability to write or overwrite the malware toolset, launch the malware binary, uninstall and terminate, and gather host information.
Its uninstall command was used to uncover the multiple ways in which BLOODALCHEMY achieves persistence on the target machine.
The backdoor copies itself into its persistence folder by adding a new folder called “Test” and inside is “test.exe” – the malware binary. Researchers said the chosen persistence folder depends on the level of privileges BLOODALCHEMY was granted, but can be one of four possible folders:
It also demonstrated its ability to achieve persistence through different means. Other notable capabilities included a “classic” approach to masking data that involves string encryption alongside additional obfuscation techniques, as well as multiple running modes.
Depending on the malware’s configuration, it can work either within the main thread or in a separate one, run itself as a service, or inject shellcode after starting a Windows process.
Part of a broader toolbox
BLOODALCHEMY is part of the REF5961 intrusion set, which itself contains three new malware families being used in ongoing attacks. These malware families have since been linked to previous attacks.
Common victimology, tooling, and execution flows observed in multiple campaigns against ASEAN members have led researchers to believe the operators of REF5961 are China-aligned.
Malware samples in REF5961 have also been found in a previous intrusion set, REF2924, which is believed to be used in attacks on ASEAN members, including the Mongolian Ministry of Foreign Affairs.
Elastic Security Labs believes the operators of both intrusion sets to be state-sponsored and espionage-motivated. China’s efforts in state-sponsored cyber campaigns have historically focused heavily on espionage, and the US deems China the “broadest, most active, and persistent cyber espionage threat” to the country.
“Beijing’s willingness to use espionage, subsidies, and trade policy to try to give its firms a competitive advantage represents not just an ongoing challenge for the US economy and its workers, but also advances Beijing’s attempts to assume leadership of the world’s technological advancement and standards,” reads The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment.
The three new malware families of REF5961 have been called EAGERBEE, RUDEBIRD, and DOWNTOWN.
Unlike BLOODALCHEMY, EAGERBEE’s makeup suggests its level of technical sophistication was just average, and is one of the three REF5961 strains that was previously known but unnamed until recently.
Evidence points to it also being used in the attack on the Mongolian government department through the REF2924 intrusion set – an example of the code and tool sharing between the two sets.
Both RUDEBIRD and DOWNTOWN were also spotted in the REF2924 campaigns, with the former being a lightweight Windows backdoor and the latter a modular implant that’s previously been attributed to a Chinese state-sponsored cyberspy group, TA428.
The two also share a similarity with BLOODALCHEMY in that all three still have debugging frameworks included – tools that are usually removed before entering the production stage – which is evidence to suggest they’re still being actively worked on by their operators. ®